Performance analysis of a Denial of Service protection scheme for optimized and QoS-aware handover

Computer Networks 49 (2005) 449–464 www.elsevier.com/locate/comnet

Performance analysis of a Denial of Service protection scheme for optimized and QoS-aware handover Tianwei Chen a, Michel Sortais b, Gu¨nter Scha¨fer a,*, Stefan Adams c, Changpeng Fan d, Adam Wolisz a a

Fachgebiet Telekommunikationsnetze, Technische Universita¨t Berlin, Germany b Math. Institut, Fak. II MA 7-4, Technische Universita¨t Berlin, Germany c Max Planck Institute for Mathematics in the Sciences, Leipzig, Germany d ICM N PG SP RC PN, Siemens AG, Germany Available online 9 June 2005

Abstract Quality of Service (QoS) mechanisms in networks supporting mobile Internet communications give rise to Denial of Service (DoS) threats: if the network cannot efficiently check the credibility of a QoS request during a handover process, malicious entities could flood the network with bogus QoS requests; if the authentication check is performed by means of an AAA protocol before the access network commits its resources, the authentication process may not only introduce a notable latency to the handover process, but also generate an extensive traffic in the presence of malicious requests, thus causing the network signaling capacity to degrade. In order to defend against these kinds of attacks and meet the low-latency micro-mobility handover requirement, we propose a preliminary authentication check with a cookie-based mechanism before processing the requests and performing authentication and authorization. Our performance evaluation shows that the cookie-based mechanism is efficient in dealing with the identified issues.
2005 Elsevier B.V. All rights reserved. Keywords: QoS; Mobility; DoS; Cookie protection; Performance analysis

1. Introduction *

Corresponding author. E-mail addresses: [email protected] (T. Chen), [email protected] (M. Sortais), [email protected] (G. Scha¨fer), [email protected] (S. Adams), changpeng. [email protected] (C. Fan), [email protected] (A. Wolisz).

In IP-based mobility scenarios, the handover signaling and Quality of Service (QoS) provisioning, which aim to guarantee certain service characteristics like end-to-end delay and jitter in a handover process, give rise to new threats that these mechanisms could be abused by malicious

1389-1286/$ - see front matter
2005 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2005.05.015

450

T. Chen et al. / Computer Networks 49 (2005) 449–464

entities to launch so-called Denial of Service (DoS) attacks, which aim at reducing the availability of services to legitimate users. In an IP-based access network, a mobile node (MN) sends a request to an access router (AR) for a certain resource (see Fig. 1 for an illustration). If the network cannot check the credibility of a QoS request (i.e., whether the request originates from an MN that is actually authorized to use the services it is requesting), malicious entities could flood the network with bogus QoS requests in order to cause the exhaustion of the available resources through temporal reservations. This represents one specific DoS threat. A potential solution consists of the following procedure: when an access router (AR) receives a QoS request, before starting the resource reservation process, the AR communicates with a security authority, e.g., an AAA (Authentication Authoriostic and Accounting) server, to authenticate the MN and authorize the QoS request [1]. AR continues with the reservation process only once this security check passes. However, the latency introduced by proceeding to security checks at the AAAL (Local AAA), which includes the contribution of the propagation delay and processing time at AAAL, is not desirable when low latency of the registration process is a major concern. Moreover, the same checks at an AAA server have to be performed on all the bogus requests from attackers. Thus all the security check signaling may degrade

the performance of the access network substantially by depleting the signaling capacity of the path between the AR and the AAAL and exhausting the computing resource of the AAAL. This represents another specific DoS threat. To defend against the identified DoS threats and meet the low-latency requirement in intra-domain handovers, we propose a two-step procedure comprising of one preliminary credibility check, after which processing of the signaling request is either aborted or continued, and the second definitive authentication check as described above. The credibility check should have the following properties: performing the first check must be a quick operation, and ARs must not keep per-session or peruser state until the verification is complete. Up to now, two principal approaches for checking the credibility of a request have been proposed: exchanging ‘‘cookies’’ and solving ‘‘client puzzles’’. The concept of exchanging ‘‘cookies’’ has been introduced in the context of transactions between Web servers and browsers, where cookies are pieces of information generated by a Web server and stored in the userÕs computer, ready for future access. This idea has been adopted to provide protection against resource exhaustion DoS attacks in IPSecÕs key exchange protocol ISAKMP and the mobility support in IPv6 design [10]. In the ‘‘client puzzle’’ approach [3], a client is asked to solve a cryptographic puzzle and the server stores the protocol state and executes expensive operations only

Access Network INTERNET MAP ... AR

... ...

AAAL

Home Network HA

...

AR ... AR

AR

Mobile IP traffic AAA traffic Fig. 1. An overview of the involved entities.

AAAH

CN

T. Chen et al. / Computer Networks 49 (2005) 449–464

after it has verified the clientÕs solution. In this way, the puzzle can prevent intensive connection initiations from attackers, thus enhancing the DoS-resistance of a server. However, solving cryptographic puzzles imposes a computational burden on all legitimate clients, as well as requiring additional message elements to be exchanged. It would add a non-negligible latency to the establishment of a connection between client and server. In this paper, we therefore propose to use a cookie-based mechanism as the first credibility check. A cookie is verified by an AR to ensure that the QoS request sender is a credible registered user before processing the requests and performing authentication and authorization. This preliminary check enables us to prevent DoS attacks, both in the form of resource reservations along a path or keeping the AR busy through the processing of malicious QoS requests, with the help of an AAAL or possibly the home AAA server (AAAH). Our use of the cookie idea as a first step of authentication—a preliminary check of a requestÕs credibility—is completely new in IP-based mobile networks. After AR filters out most of the bogus requests without cookie or with false cookies by means of cookie verification, the access network has a lower burden in the authentication of QoS requests—the second step of authentication. Since it cannot be completely ruled out that an attacker gains access in the network with an eavesdropped cookie, it is necessary to perform the second step authentication with the help of the local AAA server. The remainder of the paper is organized as follows: Section 2 introduces related work; Section 3 describes the cookie-based mechanism in detail; Section 4 contains a comparative performance analysis using queueing theory. An overview of the corresponding results is given in Section 5, and Section 6 summarizes our contribution.

2. Related work So far the most common form of DoS is to cause excessive bogus traffic to a particular server so as to prevent legitimate users from getting services. To

451

deal with this kind of DoS attack, several defense techniques have been published, see, e.g., [3]. As mentioned above, the basic idea of cookies is adopted in the mobility support in IPv6 design. The correspondent nodes (CNs) do not have to retain any state about individual MNs until an authentic binding update (BU) arrives. When receiving a BU message, the CN includes a cookie in a message sent back to the sender according to the source address in the in-coming BU message. If the source address is not a bogus one from an attacker, the genuine sender will include the cookie in its following messages to the CN. It is stated that the cookie mechanism can protect the CN against memory exhaustion attacks except where on-path attackers are concerned. In contrast, our scheme is dealing with DoS attacks on the signaling capacity of the access network, a problem which has not been addressed previously. Currently QoS, DoS and low-latency handovers have been dealt with separately. Koodli proposed a fast handover approach to achieve seamless mobility [8]. It can also be integrated with the Context Transfer (CT) protocol for QoS support [11]. However, it did not address the DoS threat. In principle, in order to address the first aforementioned DoS threat, an authentication must be performed when the access network receives a QoS request. In addition to the fact that the authentication check is performed by an AAA protocol [5], which might post the second aforementioned DoS threat, the authentication check can be performed by the Context Transfer protocol [12]: the authentication data is transferred from the old AR to the new AR during a handover. According to a performance analysis work in [7], the authentication process is not optimized in non-predictive handovers since the new AR needs to communicate with the old AR for the authentication data. Moreover, CT cannot be useful in establishing a new QoS path. In the signaling design efforts of the Next Steps in Signaling (NSIS) working group in IETF, DoS attacks have been identified [6,15]. However, currently no scheme for QoS path establishment in mobility scenarios has addressed the DoS and handover optimization issues efficiently and practically.

452

T. Chen et al. / Computer Networks 49 (2005) 449–464

3. A cookie-based mechanism Fig. 1 shows an overview of a network with a hierarchical Mobile IPv6 (HMIPv6) [14] and Authentication, Authorization and Accounting (AAA) [5] joint architecture. During the intra-domain handover procedure, the MN needs to find out whether the path from the new AR to MAP can meet its QoS request. Each router along this path in the access network must determine whether it has sufficient resources to satisfy the per-hop QoS requirement of an MNÕs session. If the path from the new AR to MAP can satisfy the QoS request, it reserves the resource for the related session. Before the resource availability check and reservation, an efficient authentication check is mandatory to prevent DoS attacks and achieve low-latency handovers. The cookie-based mechanism is designed as an efficient authentication scheme meeting the following requirements: an AR can verify a cookie immediately upon receiving a QoS request; the cookie generation and verification must be lightweight; the entities in the access network are free from keeping per-client states until the cookie check passes. In the following, we first describe the data structure of a cookie and the mechanism operations, then we give a discussion and a summary. 3.1. The data structure of a cookie Fig. 2 shows the data fields of a cookie. The purpose of each field may be listed as follows: • MN_ID is the MNÕs unique identifier. This can be a local unique identifier the MN gets after its first registration. • Gen_ID identifies the cookie generator which is always an AR. It can be the ARÕs IP address or another unique identifier acceptable in the access network.

MN_ID# Gen_ID#C Creation_T

Random_Nr

Fig. 2. Cookie data fields.

CookieHash

• Creation_T is the timestamp marking when the cookie was generated. It is used to limit the cookieÕs period of validity. • Random_Nr is used to distinguish two cookies which are generated at the same time. • CookieHash: The hash code is a message digest of the cookie information and a cookie key. The hash function could, for example, be of either HMAC-MD5 or HMAC-SHA1 (note that collision resistance [13, Section 9.2.2] is not required for the creation and verification of cookies). The cookie key could be distributed from the MAP to each AR and updated by the MAP periodically. For example, a new cookie key could be distributed by the MAP every hour or day. In summary, a cookie is defined according to the following formula: CookieInfo :¼ ðIdentity MN ; Identity ARi ; TimestampARi ; RandomNumber ARi Þ; CookieHash :¼ HMACðCookieKey; CookieInfoÞ; Cookie :¼ ðCookieInfo; CookieHashÞ.

3.2. Mechanism operations The cookie-based mechanism is described in an access network which is based on a HMIPv6 and AAA joint architecture. The architecture includes an AAAL, a mobility anchor point (MAP) and ARs positioned linearly as shown in Fig. 4. • First cookie generation: When a mobile user enters an access network (e.g., it performs a global movement or powers up), the authentication on its first QoS request must involve a trusted network entity (e.g., in the mobile userÕs home network) because the user is unknown to the access network at the moment. As shown in Fig. 3, when an AR receives a QoS request from an MN, it first sends a message to the AAAL server for a security check. Since the MN is unknown in the access network, AAAL sends a message to the MNÕs AAAH for the authentication check [4]. After the authentication is done successfully at AAAH, the access network knows that the user is credible; AAAL caches the MNÕs

T. Chen et al. / Computer Networks 49 (2005) 449–464

AAAH

AR1

Internet

AAAL

AR2

AR3

453

MAP

AR4

AR5

AR6

AR7

AR8

MN Cookie is generated by AR2 Cookie is encrypted with the session key Fig. 3. MN obtains its first cookie from the access network.

MAP

AAAL

AR1

AR2

AR3

AR4

AR5

AR6

AR7

AR8

MN Cookie is generated by AR2 Cookie is transmitted to AR3 in plain text Fig. 4. AR3 verifies the cookie presented in plain text from the MN.

authorization information and MAP, AR2 (taken to be the associated AR in our example, see Fig. 4) and MN now know the session key which was generated by the MNÕs home domain. AR2 generates a cookie, encrypts the cookie with the session key, inserts the encrypted cookie in the BU acknowledgement (BU ACK) message which is generated by MAP and destined to MN. The MN can get its first cookie in the access network since the MN can derive the session key due to its long term trust relationship with its

home domain. Thus, MN gets its first cookie in the access network. • Cookie verification: In a local movement, as shown in Fig. 4, MN presents the cookie to a neighboring AR server (say AR3). Because there is no security association between MN and AR3 so far, the cookie is transmitted in plain text. When receiving the cookie, AR3 first performs a cookie verification. Each AR has a trusted list, a trusting list and a notified cookie list. The trusted list contains the ARs from which an AR can

454

T. Chen et al. / Computer Networks 49 (2005) 449–464

cesses can proceed in series or in parallel. If the two processes are successful, the AR3 can verify the authenticity of the registration request upon receiving the session key embedded in the BU ACK message from the MAP. When this check passes, the AR3 generates a new cookie, encrypts it with the session key and inserts it in the BU ACK message as shown in Fig. 5. The new cookie is used for its next registration and the old cookie is no longer valid in the access network.

accept cookies and verify them; the trusting list includes the ARs which can accept and verify its cookies. These notions will be discussed in more detail later. The cookie verification includes the following operations: – check the timestamp in the cookie to verify the cookie has not expired; – check the identity of the cookie generator to verify the cookie was created by an AR on its trusted list; – verify that the cookie is not on the notified cookie list (this list contains all the used cookies which may be accepted and verified by it); – if the above checks pass, AR3 computes a keyhashed digest of the cookie information by using a cookie key, and compares the computation result with the hash digest contained in the cookie. If the two hash digests match, the cookie check verification is completed successfully.

3.3. Discussion There are three main points in the design of this cookie mechanism: the presentation of a cookie in plain text, the notification of a used cookie, and the ‘‘area of validity’’. • Presenting a cookie in plain text: Mobile nodes always send cookies in plain text to access routers, as in the case of a handover, since the MN does not yet share a session key with the new access router at the time it sends the cookie. Although the cookie might be intercepted by an attacker when being presented in plain text, the risk of DoS attacks is reduced sufficiently. The reason for this is that the cookie mechanism reduces the overall number of ‘‘credible looking’’ handover requests, since every cookie can only be presented once. • Notification of used cookies: After verifying the cookie, AR3 notifies immediately AR2 about the cookie use and then AR2 notifies AR1, who is the remaining AR on AR2Õs trusting list, not to accept the cookie. All ARs are then free

After verifying a cookie successfully, AR3 informs AR2 who originally generated the cookie that it has the cookie. AR2 then notifies all other ARs on its trusting list to invalidate the cookie, preventing these ARs from accepting it again; indeed, an attacker could intercept the cookie from the open wireless interface and replay it to cheat these ARs for access. After the expiration of a cookieÕs lifetime, all ARs can delete it from the notified cookie list. • New cookie granting: When the cookie verification is completed successfully, QoS + BU [9] and authorization processes start. The two pro-

MAP

AAAL

AR1

AR2

AR3

MN

AR4

AR5

AR6

AR7

Cookie is generated by AR3; Cookie is encrypted with the session key

Fig. 5. MN obtains a new cookie after the re-registration procedure.

AR8

T. Chen et al. / Computer Networks 49 (2005) 449–464

paths as shown in Fig. 6. On the other hand, if each AR were to notify the rest of the access network when receiving a cookie, the propagation of notification messages would generate substantial traffic in the access network. Therefore, we introduce a limited ‘‘area of validity’’ for each cookie, the nodes in this area being the only ones that can accept the cookie. For example, each AR could have its adjacent ARs only on its trusting list and trusted list. AR2 would put AR1, AR3 and itself on its trusting list to form the ‘‘area of validity’’, meaning that the cookies generated by AR2 are only accepted by AR1, AR2 and AR3, while being rejected by other ARs (see Fig. 7).

from replay attacks, provided that the notification messages propagate faster than the time needed for an attacker to intercept a cookie and replay it. • Area of Validity: The ‘‘area of validity’’ is a group of ARs in which a cookie is valid. In other words, the ‘‘area of validity’’ corresponds to the trusting list of the cookie generator. When a cookie is presented in plain text to AR3 (see Fig. 4), if AR3 were not to notify other ARs about the use of the cookie, the cookie could be intercepted by an attacker in open air and replayed to other ARs. Consequently, the attacker could gain access at these ARs so as to make DoS attacks on the corresponding

MAP

AAAL

AR1

AR2

AR3

455

AR4

AR5

AR6

AR7

AR8

MN Attackers

AR with risk of replay attacks AR free from risk of replay attacks Path with risk of DoS attacks Fig. 6. Threat of replayed cookie without limited AOV and notification.

area of validity , of AR2 s cookies , = AR2 s trusting list

AR1

AR2

MAP

AAAL

AR3

AR4

AR5

AR6

AR7

AR8

MN Attackers

AR with risk of replay attacks AR free from risk of replay attacks Path with risk of DoS attacks Fig. 7. Threat of replayed cookies with limited AOV and without notification.

456

T. Chen et al. / Computer Networks 49 (2005) 449–464 area of validity , AAAL of AR2 s cookies , = AR2 s trusting list

AR1

AR2

AR3

MAP

AR6

AR5

AR4

AR8

AR7

MN

notification

Attackers

AR free from risk of replay attacks Path free from risk of DoS attacks Fig. 8. Replay protection with limited ‘‘AOV’’ and cookie notification.

Necessarily, both AR1 and AR3 have AR2 on their own trusted list and they can accept cookies generated by AR2. • Notification of used cookies: As shown in Fig. 8, after verifying the cookie, AR3 immediately notifies AR2 about the cookie use and then AR2 notifies AR1, who is the remaining AR on AR2Õs trusting list, not to accept the cookie. All ARs are then free from replay attacks, provided that the notification messages propagate faster than the time needed for an attacker to intercept a cookie and replay it.

4. Performance evaluation In order to evaluate the performance of the cookie-based mechanism in reducing the risks of DoS attacks and in benefitting from the optimized intra-domain handovers, three parameters should be examined: • Mean response time: The duration between the transmission of the first bit of a registration request of a legitimate MN and the arrival of the last bit of the corresponding registration response. • Mean queue length at AAAL: How long in average is the queue of new jobs waiting for service at the AAAL server? In the absence of a cookie protection or with such a protection? This metric indicates that in the absence of a cookie pro-

tection, there are many conditions under which DoS occurs through an overflow of traffic at AAAL, whereas the use of a cookie mechanism enables one to prevent completely such DoS (under the same hypothesis regarding the attacking and the frequency of legitimate MN requests). • Size of the waiting room at AR: Another disadvantage of the no-cookie scenario lies in the fact that the AR server has to store some (e.g., 500 bits long) jobs until receiving an answer from AAAL, and many of these jobs may actually correspond to false requests. Considering the AR server of a cell that is under attack, we use a (continuous time) Markov chain method in order to compute the mean value of the total queue length in such a ‘‘waiting room’’. These parameters are examined in three different processing schemes as shown in Figs. 9–11, respectively: • Case 0. No cookie protection: In a given cell (cell ]m) which has one AR, MNs and attackers

Qf,m Qb,m

MN ARm AT

G

G

Qe

Qc MAP

Qa,m

AAAL Qd

Fig. 9. Processing scheme in Case 0.

T. Chen et al. / Computer Networks 49 (2005) 449–464

Qf,m

G

G

Qe

MN ARm AT

MAP

AAAL

Qc

Qa,m

Qd

Fig. 10. Processing scheme in Case 1.

Qf,m

G

MN ARm AT

Qa,m

MAP Qc

Fig. 11. Processing scheme in Case 2.

(AT) send QoS requests in registration messages to the AR (ARm). The arrival messages are queued in Qa,m of ARm if the processor is busy. Since (AA) checks need to be performed at AAAL before initiating the resource reservation process, ARm caches temporarily the corresponding QoS request information in Qb,m (which serves as a ‘‘waiting room’’). When a reply message for a genuine request arrives at ARm, ARm discards all the priors in Qb,m since these are regarded as bogus requests, provided all the (AA) checks at AAAL require the same time. • Case 1. Cookie protection and the resource reservation and authorization processes are in series: In the ARmÕs cell, MNs and ATs send QoS requests with cookies to Qa,m of ARm. Before processing the requests, ARm verifies the cookie. If the verification fails, ARm drops the request in ‘‘G’’ (denoting garbage) silently. If the verification succeeds, ARm sends the notification message and starts the resource reservation procedure immediately, checking its available bandwidth and sending the QoS request to Qc of MAP. MAP performs the same check. Before MAP sends a reply destined to MN, including the check result and the session key, to Qf,m of ARm, it generates a new message and sends it to Qd of AAAL for the authorization check. When the authorization check passes, AAAL sends a message to Qe of MAP. When ARm

457

receives the reply from MAP, it performs an authentication check to the QoS request with the session key. If the check passes, while removing the session key from the reply message, it generates a new cookie, encrypts it with the session key, inserts the encrypted cookie in the reply, and forwards it to the corresponding MN. • Case 2. Cookie protection and the resource reservation and authorization processes are in parallel: ARm performs the same cookie verification when receiving a QoS request from either a MN or an AT. If the verification fails, ARm also drops the request to ‘‘G’’. If the verification passes, ARm starts the two processes in parallel. Meanwhile, it sends the notification message. It is assumed that the result of the authorization process arrives earlier than that of the resource reservation process. Therefore, the time spent on the authorization process has no contribution to the response time of a registration process and the authorization process can be ignored from the analysis. In all three cases, kMN denotes the Poisson rate of messages, sent by MNs in a given cell, whereas kAT denotes the Poisson rate of messages sent by Attackers in a cell that is currently under attack. We also let M denote the total number of cells, whereas N stands for the total number of cells that are currently under attack. The message sending process in a given cell (cell ]m, 1 6 m 6 M) is therefore a Poisson process with intensity k that is either equal to kMN (no attack) or to kMN + kAT (attack). The asymptotic mean arrival rate at Qa,m, namely k
a;m , is defined as: k
a;m ¼ lim

t!þ1



E½]ðarrivals at Qa;m during time ½0; tÞ ; t

and we let k
c ; k
d ; k
e and k
f ;m be the asymptotic mean arrival rates corresponding to Qc, Qd, Qe and Qf,m respectively. The asymptotic mean arrival rates at each of the remaining queues may then be determined as functions of M, N, kMN and kAT.

458

T. Chen et al. / Computer Networks 49 (2005) 449–464

Indeed, in case 0:

In case 0, the time needed for the execution of a job depends on the authenticity of the corresponding request, so that

k
c ¼ 2MkMN þ N kAT ; k
d ¼ N ðkMN þ kAT Þ þ ðM  N ÞðkMN Þ; k
e ¼ MkMN ;

Eðxd Þ ¼

k
f ;m ¼ 2 kMN ;

N kAT MkMN Tþ ðt3 þ T Þ; MkMN þ N kAT MkMN þ N kAT

in case 1: k
c ¼ MkMN ¼ k
d ¼ k
e ; k
f ;m ¼ kMN , and in case 2: k
c ¼ MkMN ; k
f ;m ¼ kMN .

whereas in case 1 we simply have Eðxd Þ ¼ t3 . Using LittleÕs theorem thus yields:

4.1. Waiting times at different queues, total response time

EðW d Þ ¼ ðkÞ

Consider the random variables W ðkÞ a;m and RARm defined by: W ðkÞ a;m :¼ total time spent waiting in queue Qa,m by job ]k, and ðkÞ RARm :¼ residual service time in ARm upon arrival of kth job. ðkÞ

ðkÞ

ðkÞ

lim EðW ðkÞ a;m Þ;

k!þ1

and we simply write EðW a;m Þ for it in the sequel, calling it the mean queue length or mean waiting time at Qa,m (refer to Table 2 for a list of processing time parameters). It turns out that these mean waiting times may be evaluated by using two basic principles from Queueing Theory: Little’s theorem and the Pollaczek–Khinchine formula (as applied to priority queueing systems, see, e.g., [2]). As an example, let us outline the computation of the mean waiting time at Qd in case 0 and in case 1. First, according to LittleÕs theorem, the mean number of jobs waiting for service in Qd is given by EðLd Þ ¼ k
d EðW d Þ. Secondly, denoting by Eðxd Þ the mean time needed for the execution of a single job queued through Qd, we also know that EðW d Þ relates to the mean residual service time EðRAAAL Þ in such a way that EðW d Þ ¼ EðLd ÞEðxd Þ þ EðRAAAL Þ.

so that it just remains to compute EðRAAAL Þ, which is a simple application of the Pollaczek–Khinchine formula. Indeed, in case 0 we have 1 2 EðRd Þ ¼ fðN kAT ÞT 2 þ ðMkMN ÞðT þ t3 Þ g; 2 whereas in case 1:

ðkÞ

ðkÞ Define W b;m ; W ðkÞ c ; RMAP ; W d ; RAAAL ; W e ðkÞ and W f ;m in a similar way (job ]k in Qc is the kth job having been stored in Qc). We are interested in limits such as

EðRAAAL Þ ; 1  k
d Eðxd Þ

EðRd Þ ¼

ðMkMN Þ2 2 t3 . 2

The total response time s defined in the preceding subsection has an asymptotic mean value which may in turn be presented as a combination of mean waiting times and deterministic times. Indeed:
In case 0, one has ð0Þ

ð0Þ

ð0Þ

EðsÞ ¼ C 1;2 þ EðW a;m Þ þ t1 þ C 2;3 þ EðW c Þ þ C 3;4 ð0Þ

þ EðW d Þ þ t3 þ T þ C 4;3 þ EðW e Þ þ 2t2 ð0Þ ^ ð0Þ þ EðW c Þ þ C 3;2 þ EðW f ;m Þ þ 4t4 þ C 2;3

^ ð0Þ þ EðW f ;m Þ þ C ð0Þ . þC 2;1 3;2 ð0Þ

C 1;2 being the transmission time for the wireless ð0Þ up-link channel, the further C i;j Õs being transmission parameters for the further messages and links, and t1, t2, t3, t4, T denoting some fixed processing time parameters (see Tables 1 and 2).
In case 1, we have ð1Þ

ð1Þ

EðsÞ ¼ C 1;2 þ EðW a;m Þ þ 4t4 þ 3T þ C 2;3 þ EðW c Þ ð1Þ

ð1Þ

ð1Þ

þ C 3;4 þ EðW d Þ þ C 4;3 þ EðW e Þ þ t3 þ C 3;2 ð1Þ

þ EðW f ;m Þ þ C 2;1 .

T. Chen et al. / Computer Networks 49 (2005) 449–464

and from there on, the mean queue length EðLd Þ (mean number of tasks buffered in Qd) may be easily derived using LittleÕs theorem.

Table 1 Link and message length parameters Parameter

Value

Wireless link MN $ AR Wired link AR $ MAP $ AAAL Wireless PHY + MAC Header Wired PHY + MAC Header IPv6 Header QoS Hop-By-Hop Option Home Address Option BU/BU ACK ESP Header ESP Authentication Extension Authenticator Cookie

11/54 Mbps 100 Mbps 58 bytes 26 bytes 40 bytes 82 bytes 18 bytes 6 bytes 8 bytes 16 bytes 20 bytes 32 bytes (HMAC-SHA)

459

4.3. Queue length in the ‘‘waiting room’’ In the analysis of the length of the ‘‘waiting room’’ Qb,m of case 0, the only jobs that will be further processed are the ‘‘good jobs’’ corresponding to genuine requests. On the basis of the scenario given for case 0, the asymptotic mean total time elapsed between the storage of a ‘‘good job’’ in Qb,m and its marking as a ‘‘good job’’ by the AA acknowledgement message is given by ð0Þ

ð0Þ

þ EðW d Þ þ t3 þ T þ C 4;3 þ EðW e Þ

Symbol

Timea (ls)

Remark

t1 t2 t3 t4 T

152 20 152 220 40

Generate an AA request/answer Forward an AA request/answer Perform an authorization check Check, reserve or confirm resources Perform authentication check; Generate or verify a cookie

ð0Þ

þ t2 þ C 3;2 þ EðW f ;m Þ þ t4 . Via LittleÕs Theorem, the asymptotic mean number of ‘‘good jobs’’ waiting for service in Qb,m is given by EðN b;m;good Þ ¼ k
b;m;good EðW b;m;good Þ

a The processing time values are obtained from measurements on Pentium III 600 machines.

ð2Þ

¼ kMN EðW b;m;good Þ. Taking also the arrivals of ‘‘bad jobs’’ (i.e., fake requests) into account, one may then express the asymptotic total length of Qb,m as
 ð1Þ ð2Þ EðLb;m Þ ¼ kMN EðW b;m;good Þ 1 þ lb;m þ lb;m .


In case 2, we have ð1Þ

EðsÞ ¼ C 1;2 þ EðW a;m Þ þ 3t4 þ 3T þ C 2;3 þ EðW c Þ ð1Þ

ð0Þ

EðW b;m;good Þ ¼ t1 þ C 2;3 þ EðW c Þ þ t2 þ C 3;4

Table 2 Processing time parameters

ð2Þ

þ C 3;2 þ EðW f ;m Þ þ C 2;1 .

ð2Þ

4.2. Queue length at AAAL A computation of the mean waiting time at Qd was already outlined in the preceding subsection; one thus obtains for case 0: EðW d Þ

As shown in Fig. 12, lb;m above denotes the asymptotic mean number of ‘‘residual bad jobs’’ in Qb,m (those ‘‘bad jobs’’ that are located below ð1Þ the lowest ‘‘good job’’ in Qb,m), whereas lb;m stands for the asymptotic mean number of ‘‘bad jobs’’ that are located in between two consecutive ‘‘good jobs’’ in Qb,m (‘‘intermediate bad jobs’’). In Fig. 12 the number of ‘‘residual bad jobs’’ is 3; when a ‘‘good job’’ is marked through an AA

2

¼

ðN kAT þ MkMN ÞfðN kAT ÞT 2 þ ðMkMN ÞðT þ t3 Þ g 2ð1  fðN kAT ÞT þ ðMkMN ÞðT þ t3 ÞgÞ

Residual bad jobs

Intermediate bad jobs

and for case 1 EðW d Þ ¼

ðMkMN Þ2 2 t3 2

1  MkMN t3

B

B

B

G

G

B

B

G

B

; Fig. 12. Record of stored jobs in ‘‘waiting room’’.

B

460

0

T. Chen et al. / Computer Networks 49 (2005) 449–464

π0

1

π1

2

π2

3

π3

4

π4

5

π5

6


 ðtÞ Fig. 13. The transition diagram for qb;m

π6

ð1Þ

...

.

tP0

acknowledgement message, the corresponding data is taken away for further treatment, while the jobs prior to it are discarded. ð1Þ ð2Þ The mean values lb;m and lb;m can be computed by introducing
an appropriate continuous-time  ðtÞ Markov chain qb;m that is counting the tP0

‘‘residual bad jobs’’ in the course of time.
 ðtÞ qb;m has the transition diagram given in

As for lb;m , the asymptotic mean number of bad jobs separating two consecutive good jobs in Qb,m, it may be seen to satisfy
 ð1Þ ðtÞ lb;m ¼ lim E wb;m ; t!1
 ðtÞ is an integer-valued process such where wb;m tP0 that 8
kl
 < kAT k P l P 0; ðtÞ ðtÞ kAT þkMN P wb;m P k j qb;m ¼ l ¼ : 1 l > k P 0.
 ðtÞ Sampling qb;m from its equilibrium, tP0 1
 X ð1Þ ðtÞ P wb;m P k lb;m ¼ lim t!1

tP0

Fig. 13, and the corresponding transition rates are given by  d
ðtþdtÞ ðtÞ r0;1 ¼ P qb;m ¼ 1 j qb;m ¼ 0 dt ¼ kAT ¼ r1;2 ¼ r2;3 ¼    ;  d
ðtþdtÞ ðtÞ r1;0 ¼ P qb;m ¼ 0 j qb;m ¼ 1 dt

¼

k¼1

kAT þ kMN kMN k2AT  þ . kMN kAT þ kMN ðkAT þ kMN ÞkMN

The mean asymptotic queue length at Qb,m is now given by
 ð1Þ ð2Þ EðLb;m Þ ¼ 1 þ lb;m kMN EðW b;m;good Þ þ lb;m .

5. Results and interpretation

¼ kMN ¼ r2;0 ¼ r3;0 ¼    : Let p = (p0, p1, p2, . . .) denote the invariant probability measure associated with this chain; according to the ‘‘global balance equations’’:

whereas

In this section we will evaluate the metrics derived in the previous section with actual parameters from existing technologies in order to obtain a performance assessment of our cookie protection scheme for realistic scenarios. Table 1 shows the assumed link speeds and the message lengths according to the relevant communication and signaling protocols, whereas Table 2 lists up the processing times of individual protocol steps obtained by measurements with a prototypical implementation.

p1 ðr1;0 þ r1;2 Þ ¼ p0 r0;1 ; p2 ðr2;0 þ r2;3 Þ ¼ p1 r1;2 ; . . .

5.1. Total response time

p0 r0;1 ¼ p1 r1;0 þ p2 r2;0 þ    ; showing that p0 kAT ¼ ð1  p0 ÞkMN ;

p0 ¼

kMN ; kMN þ kAT

so that altogether:  k kMN kAT pk ¼ ; kMN þ kAT kMN þ kAT

8k P 0.

The asymptotic mean number of ‘‘residual bad jobs’’ at Qb,m may thus be computed as
 X kAT ð2Þ ðtÞ lb;m ¼ lim E qb;m ¼ kpk ¼ . t!1 kMN kP1

Fig. 14 shows the total response time in relation to the attacking rate per cell, when the wireless links are assumed optimistically to offer 54 MBit/s (physical layer according to IEEE 802.11a, leading to C1,2  50 ls), M = 50 cells are connected to one AAA-server, 10 cells are under attack and x = 40 [messages/s] are sent by genuine clients. As can be seen, a DoS situation occurs in case 0 but not

T. Chen et al. / Computer Networks 49 (2005) 449–464 7

7 Response time in Case 0 Response time in Case 1 Response time in Case 2

6 Response time (millisec)

Response time (millisec)

6

5

4

3

4

3

2

1

1

200

400

600

800

1000

1200

Response time in Case 0 Response time in Case 1 Response time in Case 2

5

2

0 0

461

0 0

1400

200

400 600 800 1000 1200 Attacking rate in one cell (messages per sec)

Attacking rate in one cell (messages per sec)

in the cookie mechanism cases. In case 0 the total response time grows abruptly when the attacking rate approaches 1500 messages/s. The cookie mechanism requires around one additional millisecond of processing but the system is able to serve genuine clients up to any attacking rate, of course provided that there is still bandwidth left in the respective radio cell. Therefore, our DoS protection scheme offers a significant improvement over the unprotected case. In case of a slower wireless uplink with C1,2  300 ls (corresponding to an IEEE 802.11b WLAN operating at 11 MBit/s with long physical layer preamble) Fig. 15 again shows that a DoS situation would not occur before around 1500 messages/s are sent per cell. However, this attacking rate well exceeds the range in which it can be assumed that the attacker will be able to send his attacking packets over the wireless channel. Therefore, our DoS protection scheme does not offer a benefit in cases with rather low wireless channel capacity, or otherwise stated, more wireless cells have to be supported with one AAA server until our DoS protection scheme offers a significant improvement. The cost of implementing the cookie mechanism corresponds to the discrepancy between the lines of response time in cases 0 and 1 (see Figs. 14 and 15). Before the attacking rate reaches a saturation point, case 0 performs slightly better than case 1; however, when the attacking rate is running over

Fig. 15. Total response time for Slow Speed uplink with C1,2  300 ls, M = 50 cells and N = 10 cells under attack for MN rate x = 40 [messages/s].

the saturation point, the cookie mechanism takes obvious effect in preventing a DoS attack, and at any rate, a cost of less than 2 ms is negligible. 5.2. Queue length at AAAL Fig. 16 shows the queue length at the AAA server for case 0 under the same conditions as in Fig. 14. This graph clearly shows that the DoS situation is caused by the overloading of the AAA server and not by exceeding the transmission capacities of the access network. Under these conditions, the AAA server is not able to keep up

100000

Queue length at Qd in Case 0 Queue length at Qd (number of tasks)

Fig. 14. Total response time for high speed uplink with C1,2  50 ls, M = 50 cells and N = 10 cells under attack for MN rate x = 40 [messages/s].

1400

80000

60000

40000

20000

0 0

200

400 600 800 1000 1200 Attacking rate in one cell (messages per sec)

1400

Fig. 16. Queue length at AAAL for high speed uplink C1,2  50 ls, M = 50 cells and N = 10 cells under attack for MN rate x = 40 [messages/s].

462

T. Chen et al. / Computer Networks 49 (2005) 449–464

Queue length at the ’waiting room’ (number of jobs)

800 700

Queue length at the waiting room with x=10 Queue length at the waiting room with x=40

600 500 400 300 200 100 0

0

100

200

300 400 500 600 700 800 Attacking rate in one cell (messages per sec)

900

Fig. 17. Queue length in the waiting room for high speed uplink C1,2  50 ls, M = 50 cells and N = 25 cells under attack and different MN rates x.

with checking and discarding bogus messages being sent by attackers, so that the genuine requests from honest clients cannot be processed in time. 5.3. Queue length in the ‘‘waiting room’’ Fig. 17 shows the queue length in the ‘‘waiting room’’ of an access router in a cell which is under attack (here we assume that 25 out of 50 cells are under attack). Depending on the rate of genuine requests by honest clients (x = 10 messages/s vs. x = 40 messages/s) a DoS situation will occur earlier. The reason for this behaviour lies in our strategy to silently discard bogus requests directly after they have been identified at the AAA server in order to save AAA processing capabilities. This implies that access routers need to receive a response to a genuine request, in order to be able to discard all bogus messages between two genuine requests. Furthermore, it can be seen from this graph that memory depletion situations can occur at access routers under attack. However, the most critical system in the access network infrastructure is the central AAA server.

6. Conclusions In this paper, we described a cookie-based mechanism to protect against DoS attacks for optimized and QoS-aware handovers by perform-

ing a simple and preliminary check with a cookie before the QoS reservation and authorization processes begin. We also provided a performance evaluation which shows that the cookie mechanism is a method to protect against DoS attacks in the QoS reservation process in a distributed scenario, to speed up registration in the intra-domain handover case by paralleling the QoS reservation process and AA process without introducing additional DoS risks. Furthermore, our scheme reduces the risk of replayed cookies by implementing an ‘‘area of validity’’ in which a cookie is acceptable, and by communicating cookies that have been used once at a particular AR to other ARs in the same area of validity. The mechanisms of this solution can additionally protect against the following depletion threats (which exist when authentication and resource reservation are performed in parallel or sequentially): depletion of the memory of access routers, that would have to maintain state while the authentication of the MN is fetched from the AAAL, depletion of signaling capacity in the access network (by preventing signaling traffic for bogus requests which have not been verified before as being ‘‘credible’’), and depletion of the resources of the AAAL (by shielding the AAAL server from authentication requests which result from bogus QoS requests). Acknowledgements This work has been supported in part by a research contract with Information and Communication Mobile, Siemens AG. The work of S. Adams was supported by DFG Research Center ‘‘Mathematics for key technologies’’ (FZT 86) Berlin. M. Sortais was supported by the Graduiertenkolleg ‘‘Stochastische Prozesse und Probabilistische Analysis’’ Berlin and by the Swiss NSF.

References [1] Mobility Architecture Implementation Report, D0302 IST2000-25394 Moby Dick, December 2002. [2] S. Asmussen, Applied Probability and Queues, second ed., Springer-Verlag, 2003.

T. Chen et al. / Computer Networks 49 (2005) 449–464 [3] T. Aura, P. Nikander, J. Leiwo, DOS-resistant authentication with client puzzles, Lecture Notes in Computer Science 170 (2001) 2133. [4] P. Calhoun, T. Johansson, C. Perkins, Diameter Mobile IPv4 Application, Internet Draft: draft-ietf-aaa-diametermobileip-20.txt, August 2004. [5] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, J. Arkko, Diameter Base Protocol, RFC 3588, September 2003. [6] H. Chaskar (Ed.), Requirements of a Quality of Service (QoS) Solution for Mobile IP, RFC 3583, September 2003. [7] T. Chen, M. Sortais, G. Scha¨fer, A. Wolisz, A performance study of session state re-establishment schemes in ip-based micro-mobility scenarios, in: Proceedings of the 12th Annual Meeting of the IEEE/ACM International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS), Volendam, Netherlands, October 2004, in press. [8] R. Koodli (Ed.), Fast Handovers for Mobile IPv6, Internet Draft: draft-ietf-miopshop-fast-mipv6-03.txt, October 2004. [9] X. Fu, H. Karl, C. Kappler, QoS-conditionalized Handoff for mobile IPv6, in: Proceedings of the 2nd IFIP-TC6 Networking Conference (Networking 2002), SpringerVerlag, Pisa, Italy, 2002, pp. 721–730. [10] D. Johnson, C. Perkins, J. Arkko, Mobility Support in IPv6, Internet Draft: draft-ietf-mobileip-ipv6-24.txt, June 2003. [11] R. Koodli, C. Perkins, Fast handovers and context transfers in mobile networks, ACM Computer Communication Review 31 (No. 5) (2001). [12] J. Loughney, M. Nakhjiri, C. Perkins, R. Koodli, Context Transfer Protocol, Internet Draft: draft-ietf-seamoby-ctp05.txt, October 2003. [13] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press LLC, 1997. [14] H. Soliman, C. Castelluccia, K. El-Malki, L. Bellier, Hierarchical Mobile IPv6 Mobility Management (HMIPv6), Internet-Draft: draft-ietf-mipshop-hmipv600.txt, June 2003. [15] H. Tschofenig, D. Kroeselberg, Security Threats for NSIS, Internet Draft: draft-ietf-nsis-threats-06.txt, October 2004.

Tianwei Chen studied electronic engineering in the Electronic Engineering Department at Beijing Polytechnic University from 1988 to 1996. During this period, he obtained his bachelor and master degrees. Afterwards he worked at Hewlett Packard. In 2000 he started his Ph.D. study in Telecommunication Networks Group (TKN) at the Technical University in Berlin. His research interests include

463

network security, Quality of Service (QoS) and mobile communications.

Michel Sortais studied Mathematics at the Swiss Federal Institute of Technology in Lausanne. Specializing in Probability Theory and Statistical Mechanics, he obtained the PhD degree from this institution in October 2001. Since then, he has been a teaching and research assistant at the Technical University in Berlin, joining the DFG Research Center ‘‘Mathematics for Key Technologies’’ in October 2002. His current interests include engineering applications of Probability such as Queuing Theory or Mobility Models.

Gu¨nter Scha¨fer received his diploma and Ph.D in computer science from the University of Karlsruhe in 1994 and 1998, respectively. Between February 1999 and July 2000 he took a post at the Ecole Nationale Supe´rieure des Te´le´communications in Paris, France, where he focused on network security and access network performance of third-generation mobile communication networks. Since August 2000, he is working at the Technical University of Berlin where he is involved in research and lectures on the subject of telecommunications networks. His main subject areas are network security, mobile communication and active network technologies. He is a member of the Association for Computing Machinery (ACM), the Institute of Electrical and Electronics Engineers (IEEE) and the German Gesellschaft fu¨r Informatik (Computer Science Society).

Stefan Adams is a research assistant at the Max-Planck-Institute for Mathematics in the Sciences, Leipzig, Germany. He received the Dipl.-Phys. degree from the University of Go¨ttingen, Germany, in 1995, and the Dipl.Math. degree from the University of Hagen, Germany, in 1998, both in theoretical physics and mathematics. He received his Ph.D. in mathematics from the University of Munich in 2000. He was a member of the new German Science Foundation research center for mathematics in key technologies, FZT86, Berlin. Since October 2004 he is a researcher of the MaxPlanck-Institut for Mathematics in Science in Leipzig.

464

T. Chen et al. / Computer Networks 49 (2005) 449–464

Changpeng Fan has been with Siemens AG since 2000, where he is currently a Senior Technology Manager at the Research and Concepts Department of Siemens Communications. Prior to this, he was a Senior Researcher at the GMD Research Institute for Open Communication Systems and a Senior Research Staff Member at the C&C Research Laboratories of NEC Europe. He has authored and co-authored several dozens of refereed papers in technical journals and conference proceedings, mainly on multimedia communications and mobile networks. He received his B.S. and M.S. degrees from Nanjing University, his Ph.D. degree from the Technical University of Berlin, all in Computer Science.

Adam Wolisz is currently a Professor of Electrical Engineering and Computer Science (secondary assignment) at the Technical University Berlin, where he is directing the Telecommunication Networks Group (TKN). He is also member of the Senior Board of GMD Fokus, being especially in charge of the Competence Centers GLONE and TIP. His teaching activ-

ities encompass courses on Communication Networks and Protocols, High Speed Networks, Wireless Networks and Performance Analysis of Communication Networks. He is acting as a member of the Steering Committee of the Computer Engineering Curriculum at the Technical University Berlin. He participates in the nationally (Deutsche Forschungsgemeinschaft) founded Graduate Course in Communication-Based Systems. His research interests are in architectures and protocols of communication networks as well as protocol engineering with impact on performance and QoS aspects. Recently he has been working mainly on mobile multimedia communication, with special regard to architectural aspects of network heterogeneity and integration of wireless networks in the Internet. The research topics are usually investigated by a combination of simulation studies and real experiments. He has authored two books and authored or co-authored over 100 papers in technical journals and conference proceedings. He is Senior Member of IEEE, IEEE Communications Society (including the TCCC and TCPC) as well as the GI/ITG Technical Committee on Communication and Distributed Systems.